The Forgetting Curve - The Importance of Reinforcement

October 29, 2012

Security Awareness Program Planning

Changing Behavior

Organization Culture Change

I recently attended the Learning 3.0 Conference in Chicago, IL. As someone whose career has been primarily about security and mitigating risk, I realized we have a lot to learn from others about cognitive behavior and the science of learning. I attended several excellent talks at the event which I'll be sharing over the week. The first lesson I want to share with you is the Forgetting Curve, research first done by Hermann Ebbinghaus in 1885. The concept is human's quickly forget what they learn unless that information is reinforced. If you think about it, this makes perfect sense. We as people are constantly bombarded with information, and we can retain only so much. As part of a survival method, the brain retains (or 'encodes') what it can, but over time dumps most of the information to create room to retain other key information. If the topic is never needed again, nothing is lost. However if the brain finds itself needing the information again, it realizes it is important and is more likely to permanently remember it. Kind of sounds like caching, doesn't it? :) This is why for security awareness training it is so important we are continually updating and reminding people about key points. In a talk I attended by Dr. Art Kohn, a specialist in Cognitive Science - Educational Psychology, he suggested the following for reinforcing (or boosting) key points.

Reinforce within the first two days. A perfect way to do this is with a follow-up survey asking people what is the key thing they learned from the training, and which behavior they changed as a result of the training.

Reinforce within the first two weeks. A perfect way to do this would be a phishing assessment or physical security walk through.

Reinforce within the first two months. A perfect way to do this would be a newsletter or lunch-n-learn.

If you think about it technology has their own version of the Forgetting Curve. If you secure a computer today then do nothing else for the rest of the year, over the proceeding weeks and months its security continually degrades, to the point where a year later it is a highly insecure system. That is why we have active patching management programs to maintain the security of computers. An active security awareness program is no different, you need to be continually and actively reaching out to and updating people, patching them if you will at least every month. This is where most security awareness programs fail.

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.